Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I make my dashboard filter set include all records with a NULL or no value?

mal81394
New Member
‎10-26-2018 06:35 AM

Hi All,

I have a filter set on a dashboard and by default, I have it set to include all values. How do I make it so that it also includes all records with a NULL or no value?

Here's another way to state this: when I select "ALL" in the filter, I want to see all records with or without a value in them. Then, when I select a specific value to filter on, obviously I want to see only records for that value. Below is my multi-select filter.

  <label>Assigned To:</label>
  <default>*</default>
  <choice value="*">All</choice>
  <search>
    <query>
      <![CDATA[index=NIM sourcetype=transaction | dedup group | stats count by group]]>         
    </query>
    <earliest>$TIME.earliest$</earliest>
    <latest>$TIME.latest$</latest>
  </search>
  <delimiter> OR </delimiter>
  <prefix>(</prefix>
  <suffix>)</suffix>
  <valuePrefix>group="</valuePrefix>
  <valueSuffix>"</valueSuffix>
  <fieldForLabel>group</fieldForLabel>
  <fieldForValue>group</fieldForValue>
</input>
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
SplunkTrust
SplunkTrust
‎10-26-2018 08:50 PM

@mal81394,

Try changing your input section as below, - assuming "group" is your token name.

 <input type="multiselect" token="group">
    <label>Assigned To:</label>
   <default>*</default>
   <choice value="*">All</choice>
   <search>
     <query>
       <![CDATA[index=NIM sourcetype=transaction | dedup group | stats count by group]]>         
     </query>
     <earliest>$TIME.earliest$</earliest>
     <latest>$TIME.latest$</latest>
   </search>
   <delimiter> OR </delimiter>
   <prefix>(</prefix>
   <suffix>)</suffix>
   <valuePrefix>group="</valuePrefix>
   <valueSuffix>"</valueSuffix>
   <fieldForLabel>group</fieldForLabel>
   <fieldForValue>group</fieldForValue>
  <change>
    <condition label="All">
      <set token="group">(group=* OR NOT group="*")</set>
    </condition>
  </change>   
 </input>

Below is a run anywhere example.

<form>
  <label>MultiSelect Dropdown</label>
  <fieldset submitButton="false">
    <input type="multiselect" token="key">
      <label>Assigned To:</label>
      <choice value="*">All</choice>
      <default>*</default>
      <initialValue>*</initialValue>
      <valuePrefix>key="</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter> OR </delimiter>
      <fieldForLabel>key</fieldForLabel>
      <fieldForValue>key</fieldForValue>
      <search>
        <query>|makeresults|eval key="A,B,C,NULL,D"|makemv key delim=","|eval values="A_VALUE,B_VALUE,C_VALUE,NULL_VALUE,D_VALUE"|makemv values delim=","
|eval x=mvzip(key,values)|mvexpand x|table x|eval x=split(x,",")|eval key=mvindex(x,0),values=mvindex(x,1)|fields - x|eval key=if(key=="NULL",null(),key)</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <change>
        <condition label="All">
          <set token="key">(key=* OR NOT key="*")</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>|makeresults|eval key="A,B,C,NULL,D"|makemv key delim=","|eval values="A_VALUE,B_VALUE,C_VALUE,NULL_VALUE,D_VALUE"|makemv values delim=","
|eval x=mvzip(key,values)|mvexpand x|table x|eval x=split(x,",")|eval key=mvindex(x,0),values=mvindex(x,1)|fields - x|eval key=if(key=="NULL",null(),key)
|search $key$</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>
Happy Splunking!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
SplunkTrust
SplunkTrust
‎10-26-2018 08:50 PM

@mal81394,

Try changing your input section as below, - assuming "group" is your token name.

 <input type="multiselect" token="group">
    <label>Assigned To:</label>
   <default>*</default>
   <choice value="*">All</choice>
   <search>
     <query>
       <![CDATA[index=NIM sourcetype=transaction | dedup group | stats count by group]]>         
     </query>
     <earliest>$TIME.earliest$</earliest>
     <latest>$TIME.latest$</latest>
   </search>
   <delimiter> OR </delimiter>
   <prefix>(</prefix>
   <suffix>)</suffix>
   <valuePrefix>group="</valuePrefix>
   <valueSuffix>"</valueSuffix>
   <fieldForLabel>group</fieldForLabel>
   <fieldForValue>group</fieldForValue>
  <change>
    <condition label="All">
      <set token="group">(group=* OR NOT group="*")</set>
    </condition>
  </change>   
 </input>

Below is a run anywhere example.

<form>
  <label>MultiSelect Dropdown</label>
  <fieldset submitButton="false">
    <input type="multiselect" token="key">
      <label>Assigned To:</label>
      <choice value="*">All</choice>
      <default>*</default>
      <initialValue>*</initialValue>
      <valuePrefix>key="</valuePrefix>
      <valueSuffix>"</valueSuffix>
      <delimiter> OR </delimiter>
      <fieldForLabel>key</fieldForLabel>
      <fieldForValue>key</fieldForValue>
      <search>
        <query>|makeresults|eval key="A,B,C,NULL,D"|makemv key delim=","|eval values="A_VALUE,B_VALUE,C_VALUE,NULL_VALUE,D_VALUE"|makemv values delim=","
|eval x=mvzip(key,values)|mvexpand x|table x|eval x=split(x,",")|eval key=mvindex(x,0),values=mvindex(x,1)|fields - x|eval key=if(key=="NULL",null(),key)</query>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </search>
      <change>
        <condition label="All">
          <set token="key">(key=* OR NOT key="*")</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>|makeresults|eval key="A,B,C,NULL,D"|makemv key delim=","|eval values="A_VALUE,B_VALUE,C_VALUE,NULL_VALUE,D_VALUE"|makemv values delim=","
|eval x=mvzip(key,values)|mvexpand x|table x|eval x=split(x,",")|eval key=mvindex(x,0),values=mvindex(x,1)|fields - x|eval key=if(key=="NULL",null(),key)
|search $key$</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>
Happy Splunking!
0 Karma
Reply
Solved! Jump to solution

mal81394
New Member
‎10-29-2018 06:17 AM

Thanks so much! This worked perfectly!

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...